Speakers: Audits in Time of COVID-19 Require Creativity, But Still Can Be Done

Chris Gaetano
Published Date:
Mar 27, 2020

AICPA Chief Auditor Bob Dohrer and Clark Nuber shareholder Andrew Prather, speaking on a recent Institute webcast, acknowledged that this age of social distancing can make audits tricky, but they said that it's still possible to do them in compliance with current standards, with a little creativity.

Dohrer said that, global pandemic or no, auditing standards are still in effect and must be complied with before auditors issue their auditor's report, no matter the challenges to our society. This is no time, he said, to abandon professionalism and attention to detail.

"It's the compliance that brings order and some normalcy, if you will, to the situation we're going through today. The [pandemic] doesn't lead to an audit holiday. We can't issue financial statements and auditor reports that just kind of say we did the best we could," he said.

He did note that complying with these standards right now could mean performing a remote audit, which not everyone is experienced with. While some auditors are approaching remote audits with trepidation, he noted that the standards themselves are generally more concerned with what evidence is required rather than how the auditor is to obtain that evidence. He asked CPAs to keep this in mind as they plan their remote audits.

"Focus on the objective, what the requirements are, and then be creative and be free to innovate within those standards to achieve those objectives," he said. "As long as we do that, we'll be just fine with our auditing and attestation services." 

A remote audit has some unique planning considerations. Dohrer advised firms, first of all, to determine early about their need for specialists and how they will coordinate with them, as he expects there will be a high demand for them in the coming months, especially valuation experts. He also said that since technology will play such a key role, firms should ensure that auditors are trained on how to use it, whether it's video conferencing software to talk to management or a GoPro camera to look at inventory. Planning stages should also account for the analytics at this time, he said, noting that anything that involves some sort of historical comparison is going to be suspect, as society is going through some pretty unique circumstances right now. Consequently, someone's ability to design analytics might be challenged during this period.

Prather expanded this warning into a general point, saying that auditors should be questioning the utility of all their past procedures in this current time, as many won't be relevant.

"If you have procedures where you've kind of always expected things to be similar to past years [as you're] doing multiyear trends, this year, as an audit team, you have to assume things won't be the same as the last several years. We've had major disruptions to the way businesses operate. ... So designing those analytics will need a very different mindset," he said.

Fraud inquiries are a good example. Dohrer said that fraud risk assessments are most effective when done in person, because the auditor can observe body language and have a better read on facial expressions. Conducting these inquiries remotely, then, will be much more difficult because the auditor is effectively cut off from those cues, and so they should keep that in mind.

Internal controls will be another major challenge area, said Prather. Because of the unprecedented nature of this pandemic, companies standing internal control processes likely aren't applicable anymore, and so "it's almost like you've got two sets of controls you need to test and rely on" which he said may not be efficient, and so "it really puts the emphasis on the need for audit teams to devote extra time to plan audit engagements and vet these issues out to determine what procedures in the past continue working and what we need to do a little differently."

Dohrer said that there is "no doubt that clients are processing financial information in ways that they have not done so in the past." If they don't have employees coming into the office, for example, that assuredly means they've had to change how they process transactions. He agreed that auditors need to assess and test whatever system the company has put up in place of the old one and think of it as, in some cases, "a little bit like a new audit" because the change is so drastic. On top of this, internal controls testing has many of the same issues as fraud inquiries in that the auditor won't be there to physically look at things and talk to people. While he said that the AICPA is "looking at [these problems] to design substantive procedures and responses appropriately," he conceded right now there are limits to what can be done in this area because there's no real precedent for it.

"I think it will also put some stress on our ability to rely on controls simply because there won't be a lot of track record there, and to be honest with you, it's probably a little questionable how extensive work we can do with testing operating effectiveness in the environment we'll be looking at," he said.

Another major area of consideration, said Dohrer, will be inventory observations. He noted, first, that there's nothing in the standards that prohibit using video feeds in doing so, as it is only required that the auditor "document the procedures before and the results and conditions of those procedures." However he added that auditors need to make some special considerations if that's what they choose. For instance, they should consider whether there's a way to document the observation, or if there's "maybe an extra step" that can be done to verify what the video is actually showing or if it's even coming from the location the client says it is.

"Is it the client's warehouse? Is there some visual recognition you can have that this is real and happening?" he said.

At the same time, as in other aspects of remote audits, auditors should recognize the limitations of the approach. For inventory observations, while a video feed can be good for counting inventory, Dohrer said because the auditor can't touch or take a closer look at the items, inventory conditions become much more difficult to assess. One thing he does not think is a risk particular to using a video feed for inventory observation, however, is whether people are doing things off-camera.

"We've had questions: 'Bob, what happens if the camera isn't set up right? They could be moving inventory outside the view of the camera.' That's a risk, but that's a risk for any inventory observation, even in person, because certainly we're in one location in a warehouse, but we can't be looking at every part of the warehouse necessarily, and movement could be taking place behind us or off site also," he said.

In the event that the auditor can't even get a video feed, however, Dohrer said that they can, if circumstances warrant, do an inventory observation at a subsequent date to the financial statement and then roll back, which he said is no different than what happens now when an inventory observation can't be done. But if the nature of audit absolutely requires that an observation be done in person but this is not possible, "then we have to deal with a scope limitation, and our standards direct us how to do that."

Modifying audit procedures for remote work can potentially put a lot of power in the hands of management, which can exert more direct control over what the CPA does and does not see. Dohrer emphasized that, especially now, auditors should not overly rely on management information, especially if they can't look at the original documents. They should therefore lean more heavily than before on external confirmations, but he warned that "there may not be anyone at the other end of that confirmation to respond--that is, customers and vendors you may be confirming with likely don't have people working there either."

Dohrer did say that auditors should see physical signatures to the greatest extent possible, as the "U.S. Postal Service is still working, a lot of delivery services are still working, so you can still get original signatures. That's no different than what we deal with today." He added that there's no actual requirement that the management representation letter needs to be on official letterhead, and so don't worry if management cannot get into their office. This is especially important with management representation letters.

"What the standard requires is that you obtain a signed representation letter by the time you release your report. The standard acknowledges that if you get that electronically or sent orally (the standard talks about even getting oral approval of the representation letter), you have to follow up and get a signed one. What I'd say about DocuSign and other methods is that in this environment we're in today, [the situation] is no different than it was six months ago. So the question I would ask is: 'Would you receive that DocuSign six months ago?'" he said.

Prather noted that he has heard many questions regarding the "going concern" standard, as the economic shock of the pandemic has led to a lot of uncertainty as to whether clients can survive. At the same time, however, some might think this is only a temporary blip in an otherwise strong company. Prather said it can be challenging to perform operations such as cash flow projections to make a going concern determination, which can muddy the water on this issue even further.

Dohrer said that, since one of the first steps with regard to the  going-concern standard is to determine whether or not there are events or considerations leading to doubt about a company's ability to continue on, the businesses for which this will not be an issue will be "very rare exceptions." 

"It's hard to envision how companies will not have to be looking at this going forward," he said.

As to how exactly this should be done, he advised that auditors look at the accounting framework being used and follow its guidance on when the going concern basis of accounting is appropriate. With this, the auditor should also consider whether emphasis of matter paragraphs will be needed in the report.

Uncertainty about going concern ties in with uncertainty about subsequent event pronouncements as well. Prather said that there are many businesses that may not have had any actual impacts yet to their operations, while others have experienced major disruptions, which leads practitioners to wonder whether there's a one-size-fits-all approach to these disclosures or whether they need to be specific to the business.

Dohrer said it's up to the individual auditor to make that call, but he noted that some filers have already worked coronavirus impacts into their disclosures and said they might want to look to those for guidance. As a general point, however, he said, "Things like that should be specific to the company."

However, he added later that "we believe it's true that, for Dec. 31 2019 financial statements, the coronavirus is a Type II subsequent event not requiring recognition in the financial statements, but a disclosure might be appropriate."

"[Determining] what the impact and significance is [is] frankly going to take a lot of judgment, so with any subsequent event, you need to look at whether the events and conditions, the causal factor, existed at the date of the financial statements, and if they did, you might have recognition issues to take account of, so just stick to the accounting guidance and what the requirements are," he said.

Click here to see more of the latest news from the NYSSCPA.